Position Paper 


Comments regarding Guidelines 10/2020 on restrictions under Article 
23 GDPR, Version 1.0, adopted on 15 December 2020 
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Introduction 


Floreani Studio Legale Associato welcomes the opportunity to provide a response to the 
European Data Protection Board’s consultation on the drafts Guidelines 10/2020 on 
restrictions under Article 23 and invites the EDPB to evaluate the following proposals as well 


as to clarify the problems highlighted below. 


3 REQUIREMENTS OF ARTICLE 23(1) GDPR 

3.1 Respect of the essence of the fundamental rights and freedoms 

Para. 14: “One of the main objectives of data protection law is to enhance data subjects’ 
control over personal data concerning them. Any restriction shall respect the essence of 
the right that is being restricted”. 


Comment: It is suggested to the EDPB to specify through another practical cases the 
prediction according to which “Any restriction shall respect the essence of the right that is 


being restricted”. 


3.2 Legislative measures laying down restrictions and the need to be foreseeable (Rec. 41 
and CJEU case law) 

Para. 16: “(...) Recital 41 GDPR states that “[w]Jhere this Regulation refers to a legal basis 
or a legislative measure, this does not necessarily require a legislative act adopted by a 
parliament, without prejudice to requirements pursuant to the constitutional order of the 
Member State concerned. However, such a legal basis or legislative measure should be 
clear and precise and its application should be foreseeable to persons subject to it, in 
accordance with the case-law of the Court of Justice of the European Union [...] and the 
European Court of Human Rights” 


Comment: It is suggested to the EDPB to specify through practical examples the concept of 


“Foreseeability” for the purposes of compliance with the aforementioned criterion. 
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Para. 18: “While any legislative measure must in any case be adapted to the objective 
pursued and meet the foreseeability criterion, a legislative measure laying down the 
provisions for the application of restrictions under Article 23 GDPR does not always have 
to be limited in time or linked to a specific period”. 


Comment: The first subparagraph of section 18 stipulates that “/n some cases, the restriction 
is not specifically linked to a timeframe because the ground for the restriction to be 
safeguarded by the legislative measure is not in itself limited in time”. \We would like to 
request the EDPB to confirm that the restrictions without clear time limitations meet the 
predictability criterion taking into account what is represented by the EDPB on 3 june 2020 


(“response to NGOs on Hungarian Decrees and statement on Article 23 GDPR”). 


3.3.3 Other important objectives of general public interest 

Para. 27: “Article 23(1)(e) GDPR mentions as other important objectives of general public 
interest of the Union or of a Member-State important economic or financial interest, 
including monetary, budgetary and taxation matters, public health and social security. It 
may concern for instance the keeping of public registers kept for reasons of general public 
interest or the further processing of archived personal data to provide specific information 
related to the political behaviour under former totalitarian state regimes. On the other 


hand, the costs incurred as a consequence of providing information and thus the financial 


burden on public budgets are not sufficient to justify a public interest in restricting the 


rights of the data subjects”. 


Comment: With reference to “Other important objectives of general public interest” to 


article 23 (1)(e) GDPR, we suggest the EDPB to mention some examples in the Guidelines. 


3.5 Necessity and proportionality test 

Para. 38: “Restrictions are only lawful when they are a necessary and proportionate 
measure in a democratic society, as stated in Article 23(1) GDPR. This means that 
restrictions need to pass a necessity and proportionality test in order to be compliant with 
the GDPR”. 

Comment: We ask the EDPB to specify more that the necessity and proportionality test 
should be carried out before the decision-making of applying a restriction by the legislator 


in light of provision of paragraph 86 of the Guidelines. 
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4 REQUIREMENTS OF ARTICLE 23 (2) GDPR 

4.5 Storage periods 

Para. 57: “Article 23(2)(f) GDPR establishes that the legislative measure must include a 
specific provision regarding the storage periods and applicable safeguards taking into 
account the nature, scope and purposes of the processing/categories of processing. For 
instance, the retention period could be calculated as the duration of the processing 
operation plus additional time for potential litigation”. 


Comment: We ask the EDPB to clarify whether, if it is not possible to identify the storage 


periods, the controller may recall the criteria used to determine this period. 


4.6 Risks to data subjects’ rights and freedoms 


Para. 61: “When such assessment is provided, the EDPB considers necessary to include it in 
the recitals or explanatory memorandum of the legislation or in the impact assessment”. 


Comment: With respect to the provision in question, it may be appropriate for the EDPB to 


specify the concept of “explanatory memorandum of the legislation”. 


4.7 Right to be informed about the restriction, unless prejudicial to the purpose of the 
restriction 

Para. 62: “Article 23(2)(h) GDPR states that, unless it may be prejudicial to the purpose of 
the restriction, data subjects shall be informed of the restriction. This means that data 
subjects should be informed about the restriction to their right to information as a rule. To 
that purpose, a general data protection notice may be sufficient”. 


Comment: With reference to the highlighted paragraph and, specifically, in relation to the 
to the right of data subjects to be informed about the restriction, it is proposed to the EDPB 
to identify some examples in the Guidelines on the ways in which the information shall be 


made available to the data subjects. 


5 ACCOUNTABILITY PRINCIPLE 


Para. 66: “In light of the accountability principle (Article 5(2) GDPR), the controller should 





document the application of restrictions on concrete cases by keeping a record of their 





application. This record should include the applicable reasons for the restrictions, which 
rounds among those listed in Article 23(1) GDPR apply (where the legislative measure 


allows for restrictions on different grounds), its timing and the outcome of the necessit 
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and proportionality test. The records should be made available on request to the data 
protection supervisory authority (SA)”. 


Comment: We ask the EDPB to specify that the keeping of the record must be the subject of 
a specific assessment made by the controller and not an obligation as it is not governed by 


the Regulation. 


6 CONSULTATION WITH THE SAS (ARTICLES 36(4) AND 57(1)(C) GDPR) 

Para. 72 “In addition, data protection legislation at national level may set out specific 
procedures regarding the adoption of legislative measures that aim at restricting the rights 
afforded by Articles 12 to 22 and Article 34 GDPR, in line with Article 23 GDPR. This could 
be the case only if in line with the GDPR”. 


Comment: With regard to the possibility of the data protection legislation at national level 
to “may set out specific procedures regarding the adoption of legislative measures that aim 
at restricting the rights afforded by Articles 12 to 22 and Article 34 GDPR, in line with Article 
23 GDPR’”, it is suggested to the EDPB to specify the application profiles of the specific 


procedures in question. 


7 EXERCISE OF DATA SUBJECTS’ RIGHTS AFTER THE LIFTING OF THE RESTRICTION 

Para. 73: “The controller should lift the restrictions as soon as the circumstances that justify 
them no longer apply. If the data subjects have not yet been informed of the restrictions 
before that moment, they should be at the latest when the restriction if lifted”. 


Comment: With reference to the highlighted paragraph and, specifically, in relation to the 
obligation of the controller to informed the data subjects on the lifting of the restriction, it 
is proposed to the EDPB to identify some examples in the Guidelines on the methods and 


terms of adequate and timely information. 


8 INFRINGEMENTS OF ARTICLE 23 GDPR 


8.2 Non-observation of a legislative measure imposing such restrictions by a controller 


Gi 


Para. 80: “Where the legislative measures imposing restrictions under Article 23 GDPR 


comply with the GDPR but are infringed by a controller, SAs can make use of their adviso. 





investigative, corrective and powers against it, as in any other case of non-observation o 





GDPR rules”. 
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Comment: With respect to the provision in question, it may be appropriate for the EDPB to 
clarify whether the failure to keep the record mentioned in point 5 (an obligation not 


governed by the Regulation) is a conduct that can be sanctioned by the SAs. 


9 CONCLUSIONS 


Para. 86: “The proportionality test should be carried out before the decision-making of 
applying a restriction by the legislator”. 


Comment: We would like to the EDPB to clarify whether the execution of the proportionality 


test before applying a limitation constitutes a faculty or an obligation. 


Para 87: “SAs should be consulted before the adoption of the legislative measures setting 
the restrictions and have the powers to enforce its compliance with the GDPR”. 


Comment: We ask the EDPB to clarify whether that the prior consultation of the SAs before 
the adoption of the legislative measures setting the restrictions constitutes a or an 


obligation. 


We would be grateful for your consideration of our comments and proposals and remain 


available for any clarification and further information. 
Sincerely. 


9 february 2021 


FLOREANI 


Studio Legale Associato 
UDINE — TRIESTE - ROMA 





